Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2007-10-28

In the past few years, user education has been all the rage in the security industry. Today, we are quick to point out that one of the biggest computer vulnerabilities is actually not in the computer at all, but rather the mound of carbon and water exerting force normal to the surface of the keyboard. Unfortunately, this externalization of the security problem has become an excuse for the shortcomings of IT and information security just as frequently as it is the actual cause of compromise.

While the computer industries have largely failed at this important task until very recently, it is not the panacea that we are making it out to be. Anytime you hear about computer security failures, the response from "security experts" is always "patch and educate your users." This is important, but such a response trivializes the underlying complexities of computer systems and the persistence of the advanced and skilled adversary. Take the following example from Forbes discussing alleged security breaches at military contractors which quotes Allan Paller, director of SANS:

'More important than the elusive identity of hackers is the question of how to keep them at bay. Paller recommends that corporate security offices teach employees to be on the lookout for fraudulent e-mails. Companies could "inoculate" staff by occasionally spoofing phishing e-mails themselves and then alerting their victims, Paller suggests.'

It's a shame that someone as highly visible and regarded as Allan Paller would take the opportunity to presumably get a sound bite before using his contacts to understand the facts, if any, behind the article. Regardless, this is a perfect example of what I'm talking about. User education can only go so far, and is unlikely to thwart dedicated attackers. To follow this example through, what if the attacker in question includes a signature in the email with legitimate contact information? What if the name in the From: bar is someone the target knows? This information can be trivially forged, but it can also be just as trivially collected. Have you ever scrutinized emails that are "from" someone with whom you work, with their valid signature at the bottom, containing a Word document that seems to be topically relevant? Then why would your users? This goes further: adversaries can - and have - compromised real accounts which they then use to spread infected documents. So in some cases even legitimate email can't be trusted.

The bottom line is that user education is important. We all know it's important. But let's make sure this is the answer when it needs to be, and not given as a response action to any and every notion of computer compromise. Doing so will inevitably lead to an undermining of the industry's credibility if it isn't tempered.

In the past, I had relied on my web browser to track RSS feeds for me. A few weeks ago, I began using Bloglines based on the recommendation of both my roommate and coworker. It has changed my blog-reading life. Some benefits:

Folder-based categorization system showing number of unread entries for each feed and folder

Unseen entries for a feed displayed in a frame next to your feed listing (order adjustable)

Ability to flag entries as persistent (shown whenever a feed is viewed, even if no longer new)

I'm able to more efficiently keep tabs on all of my security related websites, and search what other people are reading - but be careful! If you don't want others to see blogs you're reading, be sure to mark them "Private" when subscribing to the feed.

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.